SANS on OpenSL FUD and Windows Failures
-
Critical OpenSSL 3.0 Update Released. Patches CVE-2022-3786, CVE-2022-3602, (Tue, Nov 1st) [Ed: This title is still false.]
As preannounced, OpenSSL released version 3.0.7, which patches two related vulnerabilities rated as "High." Initially, as part of a preannouncement, the vulnerability was rated "Critical." OpenSSL 3.0 was initially released in September of last year.
The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts. This does not appear to be exploitable against servers. For servers, this may be exploitable if the server requests a certificate from the client (mTLS) [1] . OpenSSL also published a blog post with details here: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
In short: While this is a potential remote code execution vulnerability, the requirements to trigger the vulnerability are not trivial, and I do not see this as a "Heartbleed Emergency". Patch quickly as updated packages become available, but beyond this, no immediate action is needed.
-
InfoSec Handlers Diary Blog - SANS Internet Storm Center
I spotted a malicious RAR archive that contained a VBS script. It was called “Unidad judicial citacion pendiente Fiscalia.rar” and protected with a simple 4-numbers password to defeat automatic scanning. Inside, the VBS script has the same name. Both are unknown to VT.
-
Microsoft November 2022 Patch Tuesday, (Tue, Nov 8th) [Ed: Microsoft left many known holes unpatched until it was too late and those were widely exploited]
The previously disclosed (and exploited) vulnerability is a security feature bypass on Windows Mark of the Web (MOTW) (CVE-2022-41091). According to the advisory, an attacker can craft a malicious file that would evade MOTW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.
-
Windows Malware with VHD Extension
Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file.